Monitor Microsoft DNS Server log file

This simple Perl script analyzes the Microsoft DNS server log file and output the following informations :

• date
• time
• remote ip
• fqdn

Microsoft DNS log field description

The Microsoft DNS log file contains fields described below :

• 1 Date
• 2 Time
• 3 Thread ID
• 4 Context
• 5 Internal packet identifier
• 6 UDP/TCP indicator
• 7 Send/Receive indicator
• 8 Remote IP
• 9 Xid (hex)
• 10 Query/Response
  • R = Response
  • blank = Query
• 11 Opcode
  • Q = Standard Query
  • N = Notify
  • U = Update
  • ? = Unknown
• 12 [ Flags (hex)
• 13 Flags (char codes)
  • A = Authoritative Answer
  • T = Truncated Response
  • D = Recursion Desired
  • R = Recursion Available
• 14 ResponseCode ]
• 15 Question Type
• 16 Question Name

Perl requirement

To run this script, the Perl library File::Tail is required. You can install it by executing the command : cpan install File::Tail

Enable Microsoft DNS server debug logging

By default, log is disabled. To enable it, follow these steps :

• launch the DNS Server Management console : mmc dnsmgmt.msc
• right click on the DNS server name then click on Properties
• go to the “Debug Logging” tab
• set as described below
  

Mount the log folder

In this script, the log file is located in the folder “/mount/log”. The mount point is defined like this in my fstab:
//dnsserver/dns /mount/log cifs credentials=/root/.smbpasswddns,noatime,ro,noserverino,nounix 0 0

The script

use File::Tail;

my $name="/mount/log/dns.log";

$file=File::Tail->new(name=>$name, maxinterval=>1, tail=>0);
while (defined($line=$file->read)) {
        $line =~ s/ +/ /g;
        my @array = split / /, $line;
        my $date = $array[0];
        my $time = $array[1];
        my $remoteip = $array[7];
        my $questionname = $array[-1];
        $questionname =~ s/\((\w+)\)/\./g;
        print "$date\n";
        print "$time\n";
        print "$remoteip\n";
        print "$questionname\n";
}